AGREEMENTS BETWEEN EUROPOL AND BULGARIA,
CYPRUS AND THE SLOVAK REPUBLIC

Letter from the Chairman to Bob Ainsworth
MP, Under-Secretary of State Home Office

Sub-Committee F (Social Affairs, Education and
Home Affairs) considered these documents on 29 January. We note
that, according to the Joint Supervisory Body, there are no data
protection obstacles to the conclusion of the Agreement. There
are, however a number of points on the text (very similar to points
we are raising on the Europol/Bulgaria Agreement) on which we
would welcome clarification.

Competent authorities

We note that the list of Slovak competent authorities
in Annex 2 of the Agreement is already broad, including "police
authorities" and "prosecutors" offices'. Article
6(1) further states that Slovakia "shall notify Europol of
any changes to this list within three months after such changes
come into effect". It appears that the only condition for
the extension of the list of Slovak authorities which can receive
Europol data (which would constitute an amendment to one of the
Annexes of the Agreement) is a mere notification by the Slovak
authorities, with no control by Europol or the Council of Ministers.
I would be grateful if you could confirm whether this is the case
as there would then seem to be no check on the proliferation of
competent authorities.

Termination of supply of personal data

Article 9(5) states that "no personal data
shall be supplied where an adequate level of data protection is
no longer guaranteed". It is not clear how this would be
assessed and which body would decide the termination of data supply.
Can this be done unilaterally by one of the Parties?

Amendments to the Agreement

Article 19(1) states that the Agreement may
be amended "by mutual consent between the Contracting Parties".
It is unclear whether such an amendment would require fresh Council
approval, and to what extent it would be subject to national Parliamentary
scrutiny.

We would welcome your comments on these points.
In the meantime, the Committee will retain the documents under
scrutiny.

30 January 2003

Letter from the Chairman to Bob Ainsworth
MP Under-Secretary of State Home Office

Sub-Committee F (Social Affairs, Education and
Home Affairs) considered these documents on 29 January.

We note that the Joint Supervisory Body has
in principle given the green light for the conclusion of the Agreement.
There remain, however, substantial concerns on its implementation,
most notably regarding the fact that the Bulgarian Data Protection
Commission has apparently not yet been established. The JSB notes
that no transmission of data from Europol to Bulgaria may take
place prior to the establishment of this body, but it seems doubtful
whether there is any power to prevent data exchange taking place
once the Agreement is concluded as it does not itself contain
any reference to the Data Protection Commission. It is thus essential
to ensure that the Bulgarian Data Protection Commission is in
place prior to the conclusion of the Agreement, and we would be
grateful for confirmation of that.

There are a number of other points on the text
of the Agreement on which we would be grateful for clarification.

Competent authorities

Article 6(1) states that the Republic of Bulgaria
shall notify Europol of any changes to the list of competent authorities
within three months after such changes come into effect. It appears
thus that the only condition for the extension of the list of
Bulgarian authorities which can receive Europol data (which would
constitute an amendment to one of the Annexes of the Agreement)
is a mere notification by the Bulgarian authorities, with no control
by Europol or the Council of Ministers. I would be grateful if
you could confirm whether this is the case as there would then
seem to be no check on the proliferation of competent authorities.

Termination of supply of personal data

Article 9(5) states that "no personal data
shall be supplied where an adequate level of data protection is
no longer guaranteed". It is not clear how this would be
assessed and which body would decide the termination of data supply.
Could this be done unilaterally by one of the Parties?

Amendments to the Agreement

Article 19(1) states that the Agreement may
be amended "by mutual consent between the Contracting Parties".
It is unclear whether such an amendment would require fresh Council
approval, and to what extent it would be subject to national Parliamentary
scrutiny.

We would welcome your comments on these points.
In the meantime, the Committee will retain the documents under
scrutiny.

30 January 2003

Letter from the Chairman to Bob Ainsworth
MP Under-Secretary of State Home Office

Sub-Committee F (Social Affairs, Education and
Home Affairs) considered these documents on 12 February.

We note that the Joint Supervisory Body has
in principle given the green light for the conclusion of the Agreement.
There remain, however, some concerns about its implementation,
as it appears that Cypriot data protection legislation has not
yet entered into force. The JSB notes that no data exchange can
take place before such legislation enters into force, but it is
doubtful whether there is any power to ensure that data exchange
will not take place once the Agreement is concluded. It is thus
essential to ensure that the appropriate legislation has entered
into force prior to the conclusion of the Agreement, and we would
be grateful for confirmation of that.

There are a number of other points on the text
of the Agreement on which we would be grateful for clarification.
These are similar to points we have raised on the draft Agreements
with Bulgaria and Slovakia, but I repeat them here for convenience.

Competent authorities

Article 6(1) states that the Republic of Cyprus
shall notify Europol of any changes to the list of competent authorities
within three months after such changes come into effect. It appears
that the only condition for the extension of the list of Cypriot
authorities which may receive Europol data (which would constitute
an amendment to one of the Annexes of the Agreement) is a mere
notification by the Cypriot authorities, with no control by Europol
or the Council of Ministers. I would be grateful if you could
confirm whether this is the case as there would then seem to be
no check on the proliferation of competent authorities.

Termination of supply of personal data

Article 9(5) states that "no personal data
shall be supplied where an adequate level of data protection is
no longer guaranteed". It is not clear how this would be
assessed and which body would decide the termination of data supply.
Could this be done unilaterally by one of the Parties?

Amendments to the Agreement

Article 19(1) states that the Agreement may
be amended "by mutual consent between the Contracting Parties".
It is unclear whether such an amendment would require fresh Council
approval, and to what extent it would be subject to national Parliamentary
scrutiny.

We would welcome your comments on these points.
In the meantime, the Committee will retain the documents under
scrutiny.

14 February 2003

Letter from Lord Filkin Parliamentary
Under Secretary of State to the Chairman

I am replying on Bob Ainsworth's behalf to your
letter of 14 February 2003 in which you raised on behalf of Sub-Committee
F (Social Affairs, Education and Home Affairs) a number of questions
concerning the draft agreement between Europol and the Republic
of Cyprus.

1. CYPRIOT DATA
PROTECTION LEGISLATION

You explain that the Committee is concerned
to ensure that the agreement will not be concluded before the
Cypriot data protection legislation, that is mentioned in the
Joint Supervisory Body's opinion, has entered into force. My officials
have raised this matter with Europol, emphasising that it is important
to us that the legislation should be in force before the agreement
is concluded. Europol have now advised that there has apparently
been a misunderstanding between the Cypriot authorities and the
JSB: the extra data protection legislation that Cyprus is currently
introducing relates to marketing data, and does not concern the
handling of data for law-enforcement. Cyprus does in fact already
have in place the necessary legislation to meet all the data protection
provisions in the text of the agreement. The General Secretariat
of the Council have now received confirmation of this from the
Office of the Commissioner for Personal Data Protection in Cyprus,
see the attached communication under cover of a note of 19 February
2003 from Europol. In the light of this assurance, we would not
wish to stand in the way of concluding this agreement.

As you note in your letter, the other points
raised by the Committee in relation to this agreement are similar
to those raised on the draft agreements with Bulgaria and the
Slovak Republic. Bob Ainsworth wrote to you on 17 February providing
explanations on these points, and they apply equally to the Cyprus
agreement. I repeat them here for ease of reference.

2. COMPETENT
AUTHORITIES

The Committee seeks clarification of the procedure
for amending the list of competent authorities under Article 6(1).
We agree that a change to the list would constitute an amendment
to the agreement. It would therefore require approval of the Council
as I explain under point 4 below.

2. TERMINATIONOF SUPPLYOF PERSONAL
DATA

The Committee asks about Article 9(5) which
provides that personal data shall not be supplied where an adequate
level of data protection is no longer guaranteed. The Committee
asks how the adequacy would be assessed, which body would decide
on termination, and whether termination could be done unilaterally
by one of the Parties. We understand that there is not a formal
procedure for assessing the continued adequacy of the data protection
arrangements, but that if, in operating the agreement, it came
to Europol's attention that the arrangements were not, or possibly
not, working as intended, then the circumstances and relevant
indications giving cause for concern would be reported up the
management line for further consideration. In the event that a
situation arose where Europol concluded that the arrangements
could no longer be regarded as satisfactory, then termination
of the supply of data would be a certain consequence, determined
administratively by the Director of Europol, in the absence of
immediate remedial action by the Cypriot competent authorities.
We understand that there is no impediment under the agreement
to termination of the supply being by way of unilateral action.

4. AMENDMENTSTOTHE
AGREEMENT

The Committee asks whether amendment of the
agreement under Article 19(1) would require approval of the Council.
Europol's agreements with third countries are governed by the
Council Act of 3 November 1998 laying down rules governing Europol's
external relations with third States and non-European Union related
bodies. Article 2(3) provides that such agreements can only be
concluded after unanimous approval by the Council. We understand
that amendments to the agreements would similarly require the
unanimous approval of the Council. Accordingly, amendments would
be subject to Parliamentary scrutiny.

20 February 2003

Europol: Additional Information-Data Protection
Situation Cyprus

It has come to the attention of Europol that
certain questions have been raised with respect to the entry into
force of amendments to the Cyprus Data Protection Law. In response
to this, Europol has asked the Data Protection Commissioner of
Cyprus for further clarification. Attached to this document you
will find the statement received today by Europol on this issue
from the Cyprus Data Protection Commissioner.

Republic of Cyprus

Office of the Commissioner for Personal
Data Protection

"The Processing of Personal Data Law of
the Republic of Cyprus (138(1) of 2001) regulates all areas of
data processing within the Republic of Cyprus. I can confirm that
the Processing of Personal Data Law is fully in line with the
relevant European legislation in the area of data protection.
An amendment of the Law which relates to direct marketing is currently
pending before Parliament.

I would like to stress that the proposed amendments
to the Processing of Personal Data Law solely cover aspects of
direct marketing, and do not change the provisions of data protection
that are relevant for data processing for the purpose of law enforcement,
or data processing by law enforcement authorities. In this respect
the draft amendments will bring about no change to the Processing
of Personal Data Law of 2001. As a consequence, the references
to the provisions of the Processing of Personal Data Law mentioned
in the Europol Data Protection Report on the Republic of Cyprus
(Europol file number 2641-33) will remain valid also after the
entering into force of the amended Law."

Goulla Frangou

Commissioner for the Personal Data Protection

DRAFT AGREEMENT BETWEEN EUROPOL AND THE REPUBLIC
OF CYPRUS (doc. 3710-90)

Letter from the Chairman to Bob Ainsworth
MP, Under-Secretary of State Home Office

Sub-Committee F (Social Affairs, Education and
Home Affairs) considered these documents on 12 February.

We note that the Joint Supervisory Body has
in principle given the green light for the conclusion of the Agreement.
There remain, however, some concerns about its implementation,
as it appears that Cypriot data protection legislation has not
yet entered into force. The JSB notes that no data exchange can
take place before such legislation enters into force, but it is
doubtful whether there is any power to ensure that data exchange
will not take place once the Agreement is concluded. It is thus
essential to ensure that the appropriate legislation has entered
into force prior to the conclusion of the Agreement, and we would
be grateful for confirmation of that.

There are a number of other points on the text
of the Agreement on which we would be grateful for clarification.
These are similar to points we have raised on the draft Agreements
with Bulgaria and Slovakia, but I repeat them here for convenience.

Competent authorities

Article 6(1) states that the Republic of Cyprus
shall notify Europol of any changes to the list of competent authorities
within three months after such changes come into effect. It appears
that the only condition for the extension of the list of Cypriot
authorities which may receive Europol data (which would constitute
an amendment to one of the Annexes of the Agreement) is a mere
notification by the Cypriot authorities, with no control by Europol
or the Council of Ministers. I would be grateful if you could
confirm whether this is the case as there would then seem to be
no check on the proliferation of competent authorities.

Termination of supply of personal data

Article 9(5) states that "no personal data
shall be supplied where an adequate level of data protection is
no longer guaranteed". It is not clear how this would be
assessed and which body would decide the termination of data supply.
Could this be done unilaterally by one of the Parties?

Amendments to the Agreement

Article 19(1) states that the Agreement may
be amended "by mutual consent between the Contracting Parties".
It is unclear whether such an amendment would require fresh Council
approval, and to what extent it would be subject to national Parliamentary
scrutiny.

We would welcome your comments on these points.
In the meantime, the Committee will retain the documents under
scrutiny.